Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAS No. 70, Service Organizations A standard for reporting on a service organization’s controls affecting user entities' financial statements. Only for.

Published byAudra Casey Modified over 8 years ago

Similar presentations

Presentation on theme: "SAS No. 70, Service Organizations A standard for reporting on a service organization’s controls affecting user entities' financial statements. Only for."— Presentation transcript:

1

2 SAS No. 70, Service Organizations A standard for reporting on a service organization’s controls affecting user entities' financial statements. Only for use by service organization management, existing user entities, and their auditors.

3 SAS No. 70, Service Organizations Misuse: “SAS 70 Certified” or “SAS 70 Compliant” Controls related to subject matter other than internal control over financial reporting Made report public

4 Other Service Organization Control Reports (SOC) Marketplace demand for detailed report on controls on subject matter other than internal control over financial reporting include: Security Availability Processing integrity Confidentiality Privacy

5 How the AICPA Addressed Issues Split SAS 70 into two standards: one for service auditors (SSAE 16), the other for user auditors (effective for 2012 year-end audits) Recognized need for assessment of controls over security, availability, processing integrity, confidentiality or privacy Brought together all options for reporting on controls at service orgs Supported public interest by helping CPAs/service organizations correctly apply and use the standards

6 Service Organization Control Reports 3 reports to help service organizations demonstrate reliability CPA, client determine proper engagement for market need SOC logo for service org’s marketing, websites Information on SOC reports: aicpa.org/soc

7 SOC Report Logos For CPAs who provide the services that result in a SOC 1, SOC 2 or SOC 3 report For service organizations that had a SOC 1, SOC 2 or SOC 3 engagement within the past year

8 New Standards and Names Trust Services Principles and Criteria

9 SOC 1 Report (restricted use) Report on controls at a service organization relevant to a user entity’s internal control over financial reporting

10 SOC 1 Report (restricted use) Engagement performed under: SSAE 16 (auditor obtains level of evidence and assurance as in SAS 70 service auditor engagement) AICPA Guide, Applying SSAE No. 16, Reporting on Controls at a Service Organization Contents of report package: Description of service organization system CPA’s opinion on fairness of description, suitability of design, operating effectiveness of controls

11 SSAE 16: New Requirement for Written Assertion Service auditor must obtain written assertion from service organization’s management about the fairness of the presentation of the description of the service organization’s system and about the suitability of the design

12 SSAE 16: New Requirement for Written Assertion For type 2 engagements, operating effectiveness of the controls must be included in assertion Assertion will either accompany service auditor’s report or be included in description of service organization’s system

13 SOC 1 Reports – Type 1 and Type 2 Both report on the fairness of the presentation of management’s description of the service organization’s system, and…

14 SOC 1 Reports – Type 1 and Type 2 Type 1 also reports on the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date Type 2 also reports on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period

15 SOC 2 Report (use determined by auditor) Report on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy

16 A Word About Trust Principles and Criteria Each principle and criteria (except Privacy) is organized into four broad areas 1.Policies 2.Communications 3.Procedures 4.Monitoring Privacy criteria based on Generally Accepted Privacy Principles (GAPP) comprising of 10 principles

17 SOC 2 Report (use determined by auditor) Engagement performed under: AT 101, Attestation Engagements AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy Contents of report package same as SOC 1

18 SOC 2 Reports – Type 1 and Type 2 Both report on management’s description of a service organization’s system, and… Type 1 also reports on suitability of design of controls Type 2 also reports on suitability of design and operating effectiveness of controls

19 SOC 3 Report (general use) Trust Services Report for Service Organizations Engagement performed under: AT 101, Attestation Engagements AICPA TPA, Trust Services Principles, Criteria and Illustrations

20 SOC 3 Report (general use) Contents of report package: CPA’s opinion on whether entity maintained effective controls over its system A seal can be issued on service organization’s website (if CPA is so licensed by CICA)

21 Report Comparison Who the users are WhyWhat SOC 1Users’ controller’s office and user auditors Audits of Financial Statements Controls relevant to user financial reporting SOC 2Management Regulators Others GRC programs Oversight Due diligence Concerns regarding security, availability, processing integrity, confidentiality or privacy SOC 3Any users with need for confidence in service organization’s controls Marketing purposes; detail not needed Seal and easy to read report on controls

22 Which SOC Report Should Be Used? Will report be used by service users and their auditors to plan/perform an audit of their financial statements? Yes SOC 1 Report Will report be used by service users and/or stakeholders to gain confidence and place trust in a service organization’s system? YesSOC 2 or SOC 3 Report Does the report need to be made generally available or is a seal needed? YesSOC 3 Report

23 Deciding Between SOC 2 and SOC 3 Reports Do the service users have the need for/ ability to understand the details of processing and controls at a service organization, the tests performed by the service auditor and results of those tests? Yes SOC 2 Report NoSOC 3 Report

24 Company Responsibilities Although a process has been outsourced, the user organization is responsible for the accuracy and integrity of the financial data associated with the outsourced process.

25 Company Responsibilities The User Organization must understand the design and operating effectiveness of internal controls at the Service Provider and how those controls interact with their own.

26 Company Responsibilities A SOC report can be used to help reduce but not eliminate management’s need to perform independent evaluation procedures of Service Provider’s internal controls.

27 Assessing Usefulness of a SOC Report Consider: Service Auditor’s Professional Reputation / Competency Scope of Report Relevancy Opinion and Exceptions User Control Considerations Gap Period

28 Should I Request a SOC Report? Consider requesting a report if the vendor: Processes financial transactions Has physical or logical possession of systems Has access to customer or employee personally identifiable information Has access to confidential information Controls availability of systems or data Is regularly audited by customers

29 Questions? Michael Hulet, CPA, CISA Principal at Perkins & Co 503-221-7533 mhulet@perkinsaccounting.com Twitter: @PerkinsCo

Download ppt "SAS No. 70, Service Organizations A standard for reporting on a service organization’s controls affecting user entities' financial statements. Only for."

Similar presentations

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Learning Objectives LO1 Describe the role of professional judgment in achieving the overall objectives of the independent auditor in conducting an audit.

Learning Objectives LO1 Describe the role of professional judgment in achieving the overall objectives of the independent auditor in conducting an audit.
Additional Assurance Services: Other Information

Additional Assurance Services: Other Information
Financial Statements Audit

Financial Statements Audit
CHAPTER 1 AUDITING AND THE PUBLIC ACCOUNTING PROFESSION Fall 2007 u What is auditing? u Types of Audits u Independent Auditor Relationships u Services.

CHAPTER 1 AUDITING AND THE PUBLIC ACCOUNTING PROFESSION Fall 2007 u What is auditing? u Types of Audits u Independent Auditor Relationships u Services.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 2 - 1 The CPA Profession Chapter 2.

©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley The CPA Profession Chapter 2.
Audit and Assurance services

Audit and Assurance services
Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.

Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.

SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?

March 6, 2012 SOC Reporting: What is New in the Audit Guides?
Learning Objectives LO1 Describe the current audit environment, including developments in regulatory oversight and provincial regulation of public accountants.

Learning Objectives LO1 Describe the current audit environment, including developments in regulatory oversight and provincial regulation of public accountants.
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.

Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
Chapter 20 Additional Assurance Services: Other Information

Chapter 20 Additional Assurance Services: Other Information
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 1 - 1 The Demand for Audit and Other Assurance Services Chapter 1.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
Module A1 Other Public Accounting Services ACCT 4080.

Module A1 Other Public Accounting Services ACCT 4080.
The Demand for Audit and Other Assurance Services Chapter 1.

The Demand for Audit and Other Assurance Services Chapter 1.
OTHER SERVICES AND REPORTS. STATEMENTS FOR CPAS PROVIDING ACCOUNTING AND AUDITING SERVICES 1939 - COMMITTEE ON AUDITING PROCEDURES –STATEMENTS ON AUDITING.

OTHER SERVICES AND REPORTS. STATEMENTS FOR CPAS PROVIDING ACCOUNTING AND AUDITING SERVICES COMMITTEE ON AUDITING PROCEDURES –STATEMENTS ON AUDITING.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 24 - 1 Other Assurance Services Chapter 24.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Other Assurance Services Chapter 24.

Similar presentations

Ads by Google